From c0289d63c39401e9555d4852ac74043d70a085f3 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 28 Dec 2009 23:14:43 +0100
Subject: s3: Move a lp_winbind_trusted_domains_only() check to wb_getgrsid()

winbindd_getgrgid was not protected by this.
---
 source3/winbindd/wb_getgrsid.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'source3/winbindd/wb_getgrsid.c')

diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index 03d71e45b9..bb93be2174 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -52,6 +52,17 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
 	state->ev = ev;
 	state->max_nesting = max_nesting;
 
+	if (lp_winbind_trusted_domains_only()) {
+		struct winbindd_domain *our_domain = find_our_domain();
+
+		if (sid_compare_domain(group_sid, &our_domain->sid) == 0) {
+			DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
+				  "getgrsid() for %s\n", sid_string_tos(group_sid)));
+			tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+			return tevent_req_post(req, ev);
+		}
+	}
+
 	subreq = wb_lookupsid_send(state, ev, &state->sid);
 	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
-- 
cgit